Release 31.0.4 introduces one breaking change (see below). It also brings a handful of containerization improvements, fixes several security vulnerabilities, upgrades many potentially vulnerable dependency libraries, fixes one bug in the BSM daemon, and fixes many non-security bugs.
ScriptPolicynow require that their scripts be located beneath
$OPENNMS_HOME/etc/script-policies, respectively. If you are using either of these classes in your foreign-source definitions, please address this requirement before upgrading to this release.
The following known issues impact Horizon 31.0.4; we expect all to be fixed in the next micro-version release:
- Regular users are unable to acknowledge or clear alarms from the geographical map’s integrated alarm browser. Until we identify a fix, it is possible to work around this problem by adding
ROLE_RESTto a user’s set of assigned roles. See NMS-15080 for details. Thanks to Ricardo Monteiro for bringing this problem to our attention.
- On systems where dual-write time series persisting is enabled, an intermittent startup problem may cause either a delay in data starting to be persisted, or a hard failure necessitating a restarting of the core. See NMS-15326 for details.
- The ALEC plugin currently cannot be successfully installed on a Sentinel node. At release time, it is unclear whether the problem lies in Sentinel or in ALEC. Some details are captured in NMS-15396.
Shout-outs and errata
- Thanks to researcher Baharuddin Zulkifli of NetbyteSEC for reporting several cross-site scripting vulnerabilities.
- Thanks to researcher Stefan Schiller of SonarSource for reporting a pair of authenticated command-injection vulnerabilities.
- Thanks to Ricardo Monteiro for bringing the geo-map alarms problem NMS-15080 to our attention.
- The release notes for 31.0.3 incorrectly stated that NMS-15124 was fixed in that release. In actual fact, the fix is in this release (31.0.4).
- Add search term highlight functionality in documentation (Issue NMS-13540)
- Geo Map node groups should split into individual markers (Issue NMS-15150)
- Meridian container images are signed (Issue NMS-15341)
The codename for Horizon 31.0.4 is Otap.
- remove image related defaults from Docker container makefile (Issue NMS-13583)
- Add documentation for SELinux as a requirement to run OpenNMS (Issue NMS-14210)
- No way to know the alarm type (as type 1, 2 or 3) from web UI (Issue NMS-14578)
- Deploy Release Jars to Maven Central (Issue NMS-14727)
- Make the cloud connect plugin available in container images (Issue NMS-15012)
- Data collection and graph definitions for provisiond performance (Issue NMS-15018)
- DOC: Configuration Manager API for External Requisitions is not documented (Issue NMS-15019)
- Update docs with steps to activate Path Outage feature (Issue NMS-15218)
- Container: output some details when we copy files into the container in entrypoint.sh (Issue NMS-15226)
- Update VMware provisiond handler docs (Issue NMS-15270)
- Make the ALEC plugin available in container images (Issue NMS-15349)
- Make the Cortex TSS plugin available in container images (Issue NMS-15350)
- Smoke test improvements and small tweaks to help developers (Issue NMS-15387)
- Multiple stored and reflected XSS in webapp (Issue NMS-14854)
- Authenticated Command Injection in GpDetector and ScriptPolicy (Issue NMS-14878)
- Cacheable HTTPS Responses - Cache Control Directive Missing or Misconfigured (Issue NMS-14936)
- reloading BSM daemon causes the state of serviceProblem alarm to be reset (Issue NMS-15124)
- Notification number doesn’t show more than 2 digits (Issue NMS-15172)
- Jetty context startup failures are not clearly communicated to the user (Issue NMS-15179)
- CVE-2017-7504 for javassist 3.18.2-ga and 3.19.0-ga (Issue NMS-15191)
- CVE-2017-7504 for jboss-logging 3.1.0.cr2 (Issue NMS-15192)
- CVE-2014-2228 for org.restlet 1.1.10 (Issue NMS-15193)
- CVE-2019-13990 for quartz 2.2.3 (Issue NMS-15194)
- CVE-2022-45047 for sshd-sftp 2.5.1 (Issue NMS-15195)
- CVE-2021-21342 and 7 others for xstream 188.8.131.52 (Issue NMS-15196)
- CVE-2014-9970 for jasypt 1.9.0 (Issue NMS-15197)
- CVE-2021-33813 for jdom2 2.0.6 (Issue NMS-15198)
- CVE-2022-40149 and CVE-2022-40150 for jettison 1.3.8 (Issue NMS-15199)
- CVE-2016-5725 for jsch 0.1.51 (Issue NMS-15200)
- CVE-2022-3171 for protobuf-java 3.16.1 (Issue NMS-15201)
- CVE-2018-17187 for proton-j 0.14.0 (Issue NMS-15202)
- CVE-2017-15288 and CVE-2020-7907 for scala-library 2.11.0 and 2.12.12 (Issue NMS-15203)
- CVE-2020-13936 for velocity 1.7 (Issue NMS-15204)
- CVE-2020-11988 for xmlgraphics-commons 1.4 (Issue NMS-15205)
- rescanExisting does not trigger a nodeScan for newly added nodes when scan-interval is 0 in foreignSource definition (Issue NMS-15208)
- Update docs TOC to include missing notification commands file (Issue NMS-15266)
- CircleCI: integration-test job isn’t reporting test results (Issue NMS-15271)
- NPE in karaf.log when parallel TSDB writes enabled (Issue NMS-15282)
- Sanitize request parameters in outage/list.htm (Issue NMS-15294)
- Plaintext Password Present in the Web logs (Issue NMS-15305)
- Upgrade Apache Kafka Dependency Beyond 3.2.0 (Issue NMS-15317)
- RingBufferTimeseriesWriter.destroy can take a long time or hang due to BlockingServiceLookup.lookup in WorkProcessors (Issue NMS-15324)
- Dead transaction in flow thresholding on sentinel (Issue NMS-15340)
- Regular requisition editor empty state incorrectly names external requisitions (Issue NMS-15347)
- When we fail to startup, we don’t exit with a non-zero exit code so failures cannot be properly reflected in containers (Issue NMS-15386)
- ALEC plugin dependency update (Issue NMS-15391)
- CVE in Jolokia 1.3.3 dependency (Issue NMS-15068)
- CVE-2021-37714 for jsoup (multiple versions) (Issue NMS-15069)
- vulnerable Junit dependency (Issue NMS-15074)
- RHEL9 installation documentation tab (Issue NMS-15079)
- Document deviceconfig tftp maximumReceiveSize (Issue NMS-15121)
- JAVA_KEYALIAS Variable needs to be updated (Issue NMS-15239)
- JAVA_KEYSTORE Variable needs to be updated (Issue NMS-15240)
- JAVA_STOREPASS Variable needs to be updated (Issue NMS-15241)
- Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)
- Release notes / wart: ALEC not installable on M2023.1.0 / H31.0.4 Sentinel (Issue NMS-15403)
- Release notes / wart: dual-write TS delay on startup (Issue NMS-15404)
- Release notes / wart: Geo map alarms and ROLE_REST (thank Ricardo Monteiro for the report) (Issue NMS-15406)
- Publish container images to a container registry other than DockerHub (Issue NMS-15091)
- Link on Netflow9 to main Netflow doc is broken (Issue NMS-15144)